A UK-based cyberlaw blog by Lilian Edwards. Specialising in online privacy and security law, cybercrime, online intermediary law (including eBay and Google law), e-commerce, digital property, filesharing and whatever captures my eye:-)
Based at The Law School of Strathclyde University . From January 2011, I will be Professor of E-Governance at Strathclyde University, and my email address will be lilian.edwards@strath.ac.uk .

Thursday, January 05, 2006

Cybercrime enters 2006, pt 3!

Several very interesting recent developments in UK cybercrime case law:

War-chalking or wireless bandwidth theft: The Register report that a man was last week fined £500 after a British jury found him guilty of using a neighborhood wireless broadband connection without permission. Gregory Straszkiewicz, 24, was also sentenced to a 12 months conditional discharge after he was convicted of dishonestly obtaining an communications service and related offences at London's Islewoth Crown Court last Wednesday (20 July). Beeb also reported it.

The case - brought under the Communications Act 2003 s 125 - is the first "war driving" prosecution in the UK, according the police. The Act - which is UK wide - introduced a new offence of dishonestly obtaining an electronic communications service with the intent to avoid a charge applicable to that service. Mr Straszkiewicz is reported to have been caught by police outside a residential building surfing the internet using a laptop. Some commentators have suggested that this might extend the criminal law to surfers who accidentally jump onto another party's net connection (easy to do if a host is using an unsecured connection with no encryption, as many still do). IMHO the mens rea requirement makes this seem unlikely however.

Denial of service (DDOS): in my soon to be published article Edwards L “Dawn of the Death of Distributed Denial of Service: How To Kill Zombies” forthcoming(2006) Cardozo Arts and Entertainment Journal, I expressed doubts, contrary to the rather more optimistic approach of both the police and APIC (the All Parliamentary Internet Group), that the Computer Misuse Act 1990, s 3, did indeed criminalise denial of service per se.

Section 3 of the CMA prohibits unauthorised modification of computer data - and was originally intended to criminalise the spreading of comoputer viruses (having been drafted long before DoS became common). DoS basically involves sending so many page or access requests to a computer server that it falls over. It has long been uncertain if this would constitute an "unauthorised modification" under s 3 - if sending one email is a legitimate act, impliedly authorised by the website or server, and not a "modification", is sending 5 million? I think not, although the policy implications are obviously unfortunate.

A UK court has now agreed with me. The judge, District Judge Kenneth Grant , in a November 2005 case at Wimbledon Magistrate's Court , involving a teenager who could not be named for legal reasons, but who had allegedly sent five million emails to a former employer to cause a DoS attack, ruled:

"In this case, the individual emails caused to be sent each caused a modification which was in each case an 'authorised' modification. Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by [the Act]."

As Peter Sommer, a senior research fellow in the London School of Economics' Information Systems department, put it "When you send an e-mail to an e-mail server, you are not modifying that server, because the purpose of the e-mail server is to sit around waiting to receive e-mails aimed at that domain,".

It is not clear from available evidence if the teenager was ever charged with an offense under s 1 of the CMA wich prohibits unauthorised access to a computer or data. It has been hypothesised that a distributed DoS attack, which involves enslaving a large network of unknowing "bot" computers via hacking or virus infestation to send the emails that form the DoS attack, might be susceptible to a s 1 charge. But if the emails the teenager sent contained no malicious material, and he did not use any means of unauthorised access to send email to the victim's server, or utilise a bot network, then s 1 would also not be relevant.

It is likely we will now see legislative change on both "vanilla" DoS and Distributed DoS. A Private Member's Bill already introduced will be read again in 2006. The Scottish courts are also soon likely to have a chance to rule on DoS when the case of a man in Elgin comes to court.

Sony had some extremely bad press near the end of 2005 when it transpired that Digital Rights Management (or technical protection measures or TPM) software they had placed on some music CDs to prevent them being ripped or played via iTunes, had had the unfortunate additional effects of acting as spyware and rendering user machines vulnerable to virus attacks by third parties. The DRM software was invisible to the user when the CD was loaded, and the EULA laid down that users accepted the DRM as a condition of purchase.

Sony are now under threat of prosecution from various state attorneys in the US and in other countries. They have already made a financial settlement which is likely to protect them from criminal prosecution in the US but Naked Law are now speculating as to whether s 3 of the CMA (that old warhorse again :-)could be used to prosecute Sony in the UK. The matter is likely to be academic, as there is no evidemce any consumer in the UK has suffered from the DRMed CDs, but the interesting question is whether s 3, which makes it an offence to intentionally modify the contents of a computer without the consent of the user, would apply. Users must accept the EULA to play the CD, but the EFF have claimed in the past in relation to similar Sony DRM-protected CDs that "the [DRM] software is installed prior to display of the relevant EULA, and is not removed even if a user does not accept the terms of the EULA". There is as well as the question of how far a user can consent to a criminal act the full consequences of which he is largely or wholly ignorant.